Cyber Security: Contractors Be Prepared
Cyber security is more than credit card fraud and the financial impact goes much further.
One method used by experts to calculate the potential impact is to take the total number of all files in the network that contain a combination of two of the following: name, Social Security number, drivers license number, personal health information, credit card number, bank account number or date of birth, then calculate the number of people who need to be notified x $188 (ex: notify 1,000 people = $188,000). Not many companies can allocate this type of financial resource to fraud recovery.
Cyber criminals are sophisticated and well equipped to go after the goldmine of information collected by businesses, nonprofits and government entities. One of the largest data breaches in history was at Target stores during the busiest three weeks between Black Friday and December 15, 2013. It affected as many as 40 million people who used their credit cards. An investigation by the Secret Service revealed 1,797 stores around the country were involved.
In 2015, hackers also pulled off several large data breaches, among them Anthem, eBay, Home Depot, JP Morgan and even the seemingly hack-proof Internal Revenue Service. This same year the names and social security numbers of 566 current and past Turner Construction employees from Washington state were sent to a fraudulent email address. It was determined an employee was a victim of a fraudulent scam and mistakenly forwarded the information to an unauthorized individual.
While there is plenty in the news about large companies being hit, small companies are equally affected as well. In a survey by the Ponemon Institute, it was discovered that 55 percent of small businesses have experienced a breach. Yet only 33 percent notified the people affected even though it’s required in 46 states, D.C. and Puerto Rico. The only four states without a data breach notification law are Alabama, Kentucky, New Mexico and South Dakota.
Why would a construction company risk fines and their company’s reputation by ignoring a data breach? They don’t believe it will happen to them. When it does, they’re not prepared and don’t know how to respond. They might ignore it and hope it goes undetected. But with the increasing popularity of Building Information Modeling (BIM), Integrated Project Delivery (IPD) and file sharing between participants in a building project, the risk goes up significantly. A hacker may be able to access architectural designs, including the designs of security systems and features; financial information; confidential project-specific information; and personal information of employees. While the fines vary by state, very often a company that knowingly fails to provide the required notice to a consumer may face a civil fine of not more than $250 per failure, with a maximum fine of $750,000 for notification failures arising from the same security breach.
According to a report issued in April 2015 by the Cyber-security Unit of the U.S. Department of Justice, any Internet-connected organization can fall prey to a disruptive network intrusion or costly cyber attack. They claim a quick, effective response to cyber incidents can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response is now, before an incident occurs, by preparing a plan for before, during and after a cyber incident.
- start by identifying mission critical data and adopting risk management practices found at the National Institute of Standards and Technology Cybersecurity Framework before an incident;
- next, be prepared during an incident to assess its scope and nature, whether it is a malicious act or a technical glitch; and
- after recovering from a cyber attack, continue to monitor for any anomalous activity to make sure the company has regained control of its network. Conduct a post incident review to identify any deficiencies in planning an execution for a response plan.
While policies may differ between insurance carriers, most cyber and privacy policies cover a business’ liability for a data breach in which the firm’s customers’ personal information, such as Social Security or credit card numbers, is exposed or stolen by a hacker or other criminal who has gained access to the firm’s electronic network. The policies cover a variety of expenses associated with data breaches, including: notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties and loss resulting from identity theft.
In addition, the policies cover liability arising from website media content, as well as property exposures from:
- business interruption;
- data loss/destruction;
- computer fraud;
- funds transfer loss; and
- cyber extortion.
Breaches are now just a part of life among all industries, including construction, and yet when they happen, all too often companies pull out an antiquated incident-response plan that hasn’t been looked at in two years or, worse yet, isn’t on the shelf when they reach for it.